1. Home
  2. Groups
  3. FIN10

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [1]

ID: G0051
Version: 1.3
Created: 14 December 2017
Last Modified: 26 May 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[1][2]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[1][2]
.003 命令与脚本解释器: Windows Command Shell

FIN10 has executed malicious .bat files containing PowerShell commands.[1]
Enterprise T1078 有效账户

FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.[1]
.003 Local Accounts

FIN10 has moved laterally using the Local Administrator account.[1]
Enterprise T1570 横向工具传输

FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[1]
Enterprise T1070 .004 移除指标: File Deletion

FIN10 has used batch scripts and scheduled tasks to delete critical system files.[1]
Enterprise T1033 系统所有者/用户发现

FIN10 has used Meterpreter to enumerate users on remote systems.[1]
Enterprise T1588 .002 获取能力: Tool

FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

FIN10 has used RDP to move laterally to systems in the victim environment.[1]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[1][2]

Software

ID Name References Techniques
S0363 Empire [1] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task

References

  1. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  1. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.